I am trying to spin up a Kubernetes cluster using my Microsoft Azure account. I'm following this guide:
https://github.com/kubernetes/kubernetes/blob/release-1.0/docs/getting-started-guides/coreos/azure/README.md#lets-go
At some point, the guide instructs to execute this command:
./azure-login.js -u <your_username>
I am pretty new to Azure, and I don't know what this username is. I have an e-mail that I use to login to the Azure Portal, where I can start virtual machines.
The issue was that apparently one needs to have an organization account in order to use the Azure CLI tool. I had set up my account as an individual, with an e-mail address, so the tool wasn't working.
The solution was to convert my account to an organizational one by playing with the Active Directory service here, as explained here:
https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-work-id-from-personal/
A simple peek at azure-login.js (located in the same folder as the link you posted) shows:
require('child_process').fork('node_modules/azure-cli/bin/azure', ['login'].concat(process.argv));
So... it's calling the azure cli: azure login username
And username would be your email address for your Azure subscription (the same email address you'd login with in the portal). You'd then be prompted for your password.
Related
I have generated a zip file of a Node.JS-based web app in Gitlab, and I am trying to deploy it as an Azure "web app" using az webapp deploy. This works fine on my local machine where I am logged in, but I can't for the life of me figure out how I can log in to Azure from the Gitlab runner, so that I can run that same command. I've tried:
Using the Publish Profile (already need to be logged in for that!)
Creating a managed identity with roles on the app (but I don't have access to AD)
Creating the managed system identity in the app's "Identity" pane (can't find any associated password?!)
Generating a JWT token to store in Gitlab as described in this question (I don't have access to the App Registrations functionality)
I don't want to use Azure to rebuild the application using the webhook system, I already have a known-working ZIP package that I want to deploy. My only hangup is logging in.
How can I log in to Azure -- i.e. what incantations do I have to provide to az login -- from a Gitlab CI runner, in order to deploy my website from a zipped Gitlab artifact to the App Service?
(note: I am a teacher and trying to figure this out for my students; it is possible that I am working with a somehow-limited Azure but my local IT doesn't support us for this and of course neither will Microsoft.)
If you cannot access the app registrations as discussed in a similar question and have no federation configured, your only options are to use a username and password (e.g. a user's username and password to authenticate to AAD), use a device code flow, or self-host your GitLab runner on Azure with a managed identity.
Using username and password
To use username is password is straightforward:
az login --tenant $YOUR_TENANT_ID -u $YOUR_USERNAME -p $YOUR_PASSWORD
However, this may not be possible if you normally do not login to Azure using a username and password (for example, you use OAuth or other federated login for the Azure portal and users have no passwords set). In which case, you will need to use the device code flow.
Using device code
To use device code flow, you will need to monitor the job output, copy the URL shown, and login from your browser every time your job runs. In your job, add the following:
az login --tenant $YOUR_TENANT_ID --use-device-code
In the job output you will see a message similar to the following:
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code YOUR-CODE-WILL-APPEAR-HERE to authenticate
Copy the code from the message, open your browser to the device login page and enter the code to allow your job to proceed.
Note: It is possible for organizations to disable this login method, in which case you will see an error when trying to login this way.
Self-hosting GitLab runner on Azure with a managed identity
Lastly, if you're not able to use any of the above methods, you can deploy the GitLab runner to Azure itself as an application that uses a managed identity (for example on AKS, ACI, or on a VM with a managed identity).
For example, you can configure a shell runner on an Azure VM. Azure VMs with a managed identity will not require az login to perform az cli commands.
Creating the managed system identity in the app's "Identity" pane (can't find any associated password?!)
The reason you can't find any associated password is because managed identities can only be leveraged from Azure services -- for example, Azure VMs using a managed identity are able to use az cli without logging in.
I am trying to get 7 pace timesheet details along with Azure DevOps work details programmatically using PAT token. I want to use a service account instead of a user account.
Can you please guide me to create a service account?
This service account should have 7 pace applications along with
Azure DevOps access.
The service account MFA should be disabled.
So that it can be used in Azure Runbook.
You must choose a new account that is either a system account or a member of a workgroup or domain that is trusted by every computer in this deployment of Azure DevOps Server.
Then you can have a service account in the two ways :
Use the administration console to change the service account
Open the administration console for Azure DevOps on the server that hosts the application tier.
In the console, expand the server name and select Application Tier.
In the Application Tier pane, select Change Account.
The Update Service Account window opens.
Perform one of the following steps:
To use a system account, select Use a system account, and then select a system account from the drop-down list - If your server is a member of an Active Directory domain, the default choice for the system account to use is Network Service. If your server is a member of a workgroup, the default choice is Local Service. Depending on the details of your deployment, the default choice may be the only available choice.
To use a domain or workgroup account, select Use a user account, enter the name of the account in Account Name, and then enter the password for that account in Password.
Use the TFSConfig utility to change the service account
On the application-tier server, open a Command Prompt window and change directories to the directory that contains the TFSConfig utility. By default, this utility is located in Drive:\Program Files\TFS 12.0\Tools.
At the command line, enter TFSConfig Accounts /change /accountType:ApplicationTier /account:AccountName /password:NewPassword, and then press ENTER.
My team already has a working Azure DevOps account. I would like to start an Azure subscription / Active Directory to begin linking our DevOps to App Services and other Azure products.
However, any time I click on a link to get started with Azure, I am met with a perplexing paradox trying to log in.
First I'm told that I can't log in because my MS account isn't found:
But if I try to "Create one!" or "get a new Microsoft account", I'm told it already exists:
I've taken out the email address being used, but I've confirmed they are the same between the two screens (I'm not even typing anything; all I'm doing is clicking "Next" on each screen).
I know that this MS account is valid. It's the same one I use to sign in with Azure DevOps and many other MS services. I'm not sure why I can't log in to the Azure set up platform. And there doesn't seem to be any kind of support options with Azure before you become a subscriber, so I thought I'd try my luck posting the issue here.
Thanks for any help!
You can connect your Azure DevOps organization to Azure Active Directory (Azure AD). Kindly checkout this document - About accessing your organization via Azure AD
Just to clarify, I hope you are an administrator on the subscription.
https://learn.microsoft.com/azure/devops/organizations/accounts/faq-azure-access?view=azure-devops
When your sign-in address is shared by your personal Microsoft account and by your work account or school account, but your selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions.
Sign out completely from Azure DevOps by completing the following steps.
Closing your browser might not sign you out completely.
Sign in again and select your other identity.
https://learn.microsoft.com/azure/devops/organizations/accounts/faq-azure-access?view=azure-devops
To connect your organization to Azure AD.
Sign in to your organization, https://dev.azure.com/{yourorganization}).
Select gear icon > Organization settings.
Select Azure Active Directory, and then select Connect directory.
I have an Azure CDN. It has a custom domain, and I attempting to register my own certificate for HTTPS support.
I am attempting to follow the instructions here: https://learn.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate
I have uploaded my Certificate to a Key Vault. That should be good. I am now trying grant my Azure CDN Profile access to my Key Vault in order for it to get the certificate. That is this step in the tutorial (Register Azure CDN, step #2)
That step shows a GUID (205478c0-bd83-4e1b-a9d6-db63a3e1e1c8). Where is that coming from? Is that the identifier for my Azure CDN Profile? If so, where would I get that?
I also just noticed there are two commands there: The text shows New-AzADServicePrincipal, but the screenshot shows New-AzureRmADServicePrincipal. Presumably, the latter is the (older?) command based on Resource Manager. But, which one should I be using?
Also, I don't think I have Azure Powershell installed. Can I do this using Cloud Shell via the Azure Portal?
What I see when I attempt to run the command from Cloud Shell
That step shows a GUID (205478c0-bd83-4e1b-a9d6-db63a3e1e1c8). Where is that coming from? Is that the identifier for my Azure CDN Profile? If so, where would I get that?
The GUID is the Application ID of the multi-tenant AD App in the Microsoft tenant(microsoft.onmicrosoft.com), when you use the New-AzADServicePrincipal with the GUID, it will create a service principal related to this AD App in your AAD tenant, which represents your CDN.
When you run the New-AzADServicePrincipal successfully, you could find it in the portal -> Azure Active Directory -> Enterprise applications in your tenant.
I also just noticed there are two commands there: The text shows New-AzADServicePrincipal, but the screenshot shows New-AzureRmADServicePrincipal. Presumably, the latter is the (older?) command based on Resource Manager. But, which one should I be using?
The New-AzureRmADServicePrincipal belongs to the old AzureRM module, New-AzADServicePrincipal belongs to the new Az module. You could use both of them, but I recommend you to use New-AzADServicePrincipal, because the AzureRM module was deprecated and will not be updated any more.
Also, I don't think I have Azure Powershell installed. Can I do this using Cloud Shell via the Azure Portal?
Of course, you can. Just run that in the cloud shell, no need to install any module manually.
This problem may stem from the dependency on MS accounts for MSDN instead of work accounts, but maybe some one has found a solution?
I use the same email address for both my MS and Work Accounts.
Our Company Subscriptions seems to be linked to our MS Accounts, as does our VSTS accounts. I can sign into Azure Portals using both MS and Work Account. I want to be able to deploy do our company subscription from VSTS.
When I sign into Azure, using my work account, I can see our Azure AD. I am a global admin and can make changes, etc. This is not visible when I sign in using the MS account. It tells me I don't not have access, which I can understand.
In VSTS, I have linked my MS Account to my work account. But I cant access some of the projects # {whatever}.visualstudio.com VSTS sites with my work account, I must use my MS account.
The main problem is when I try to set up a build and deploy from VSTS into the Company Azure Subscription. To achieve this I need to set up a Service Endpoitn to ARM in Azure. So I go ahead and try to do that.
It fails as it says that the account does not have the sufficient privileges needed in Azure Active Directory. Remember, AAD is only accessible when I log into my work account in the azure portal.
One last point, AAD would see my MS account as a guest account, so I thought 'hey, I will add that account to AAD as a guest and assign privileges necessary to perform the tasks I need'. But because the same email address was used for both my MS account and work account, it tells me when I try to add the guest account, that it already exists.
Is there any way around this problem? How can I associate/move all VSTS subscriptions to my work account?
When the VSTS identity you are using does not have access to the Azure subscription your trying to deploy to, the best way to do this is to create your service endpoint manually.
The steps are [here][1]. See the Azure Resource Manager service endpoint -> Manual subscription definition section. It has a few more steps, but once you create that, just use that service endpoint in your build or release definitions & your good to go.